restructure PAM handling and update for currently supported Linux distributions

[schurzi]

The old handling of PAM was old and had some problems with current configurations.

This PR creates a completely new PAM configuration for RHEL distributions and adds faillock on RHEL and Debian. We still have no implementation for Arch and SuSE.

We now use a configuration that works with the automation tools from RedHat and the user can now run authconfigwithour disabling our changes. We also offer the possibiltiy of enabling sssd authentication, that should cover many usecases.

Testing is currently performed manually, since our CI does not contain testcases for PAM.

Test setup:

# RHEL distributions
yum install -y git openssh-server openssh-clients ansible

# Debian distributions
apt update
apt install -y git openssh-server openssh-client ansible

# all
mkdir -p ~/.ansible/collections/devsec/
cd ~/.ansible/collections/devsec/
git clone https://github.com/dev-sec/ansible-collection-hardening.git hardening
cd hardening
git checkout tally
ansible-galaxy collection install community.crypto

cat > test.yml <<EOF
---
- hosts: localhost
  collections:
    - devsec.hardening
  roles:
    - os_hardening
    - ssh_hardening
  vars:
    os_auth_retries: 2
    os_auth_lockout_time: 120
    ssh_permit_root_login: "yes"
    ssh_server_password_login: true
    ssh_client_password_login: true
    sshd_authenticationmethods: "password"
EOF

ansible-playbook test.yml

After applying these configuration we need to perform login tests via ssh and local login. These tests should cover root user and a normal user. We specially want to test lockout via faillock.

Tests performed:

• CentOS 7
• CentOS 8
• Fedora
• Amazon
• Debian 9
• Debian 10
• Debian Sid
• Ubuntu 16
• Ubuntu 18
• Ubuntu 20

[schurzi]

fixes #377

[schurzi]

open: add faillock config for Debian based distros

[schurzi]

fixes #273

[schurzi]

fixes #252

[schurzi]

mabe this warants a major version increase?

[schurzi]

fixes #278

[schurzi]

tested with current Fedora 33, it should work starting from Fedora 28 possibly earlier. But Ansible in this versions is no longer compatible with Collections. So I suppose this is ok.

[schurzi]

@rndmh3ro I think we should proceed. I tested Logins in various forms and everything seems in order. Upgrading also works for Debian and in RHEL based disrtos.

[schurzi]

now also tested the role update from previous version on centos7 and centos8